tag:blogger.com,1999:blog-120635872024-03-12T23:27:39.613-05:00View From The EdgeMusings on security and other things...Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-12063587.post-75972402264766152552013-04-14T17:42:00.000-05:002019-11-18T08:36:00.404-06:00The Emperor Would Like His Clothes Back Please!<br />
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
There has been some discussion over on LinkedIn about the difference between NGFW and UTM and whether or not those terms are interchangeable. It seems the opinions vary depending on whether you are a) a confused customer, b) a vendor, or c) an analyst firm with a vested interest in perpetuating a distinction that no longer exists – if indeed it ever did. </div>
<img alt="" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/Emperors-New-Clothes.jpg" style="background-color: #fdfdfd; border: 0px; color: #6f6f6f; float: right; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; height: auto; line-height: 19px; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle; width: 200px;" /><div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Well you know what they say about opinions… so here is mine: NGFW was always nothing more than UTM for the enterprise.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
There, I said it! Yet even that distinction is being muddied as vendors geared up to sell and support SMB customers try to reposition themselves upmarket. The distinguishing factor here is not the technology, but the sales and support channels behind it.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Some vendors that have, historically, been focused on the SMB market, have now produced UTM technology that performs well enough enough to sit in front of a data center. And some of them have actually built effective enterprise sales and support channels to service their new customers. However, just because these things are now powerful enough to protect a data center doesn't mean they should.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Thing is, UTM/NGFW is really only for protecting users, not servers, and that is the main technological distinction. Our enterprise clients are firm in their belief that the NGFW/UTM can be deployed at the network perimeter to protect desktops, but in front of their servers in the data center they are still deploying separate boxes for firewall, IPS, SWG, etc. You can, of course, disable one or more security features in a UTM/NGFW to make it into an IPS, SWG, and so on, and that is how many of these devices are being used.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
One thing you cannot do with most of these devices, however, is turn off everything but the firewall and expect to have the equivalent of your legacy firewall - too many of them rely on other security modules to beef up the firewall functionality, and generally they don't have the performance capabilities of a dedicated "legacy" device. We see that time and again in our tests at NSS, and the dependency of the firewall on other security modules is the scariest feature of these devices, and the main reason why they will not (and should not) replace dedicated firewalls in the data center for the foreseeable future. </div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Because of these limitations, the “next generation” part of NGFW is not being bought into as much as vendors would have us believe, since many purchasers are actually disabling most of the features. In the networks belonging to most of the clients to whom we speak, even the much-vaunted application awareness capability is typically being used in passive mode to gain visibility, rather than in block mode to prevent attacks. </div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Despite the limitations, these devices do have their place in the network, but please can we give the Emperor his clothes back now and call it like it is? NGFW = UTM. Period.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Then maybe we can get on with selecting the most appropriate technology/device to provide the protection we need at different points in our network and stop arguing over marketing terminology.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
If you would like to read more about this, NSS subscribers can download the latest research by Andrew Braunberg and myself entitled “<a href="https://www.nsslabs.com/reports/next-generation-firewall-enterprise-story" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">Next Generation Firewall: The Enterprise Story</a>”. Follow me on Twitter (@bwalder) to keep informed as new research is released.</div>
Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-60343171705526403862013-03-12T18:40:00.000-05:002019-11-18T08:36:00.238-06:00Artistic Interpretation Discouraged<br />
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
It seems my recent <a href="https://www.nsslabs.com/blog/bending-rules-and-truth" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">blog post</a> caused quite a stir. This came as something of a surprise to me, given that our Marketing Police spend a lot of time slapping vendors on the wrist over their various marketing exuberances, and our budget for cease and desist letters from our legal counsel is approaching the size of our testing budget!<br />
<img alt="Artistic Interpretation" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/Mona-Lisa.png" style="border: 0px; float: right; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
So I was somewhat amused to observe the extent to which it was picked up by the press and the Twittersphere, including the ludicrous comments made by a certain vendor to try and explain away its poor performance in the test. It is always disturbing when a vendor chooses a PR offensive over protecting its customers by fixing security failings discovered in our tests.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
After all, there is nothing remotely subjective about the SVM – it is based entirely on the test results. If you fail any of the tests it affects your position on the final graphic – simple as that. The <strong style="outline: none;">only</strong> way to improve your position is to a) improve performance of the device, b) reduce the cost of the device (including management, updates, maintenance, etc.) thus improving the TCO, or c) FIX THE SECURITY PROBLEMS IN YOUR DEVICE!</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Anyhow, I digress. Back to the original subject of the blog which, as you undoubtedly all know by now, was Check Point's alteration of the SVM graphic to remove some of its competitors. Was this a dumb thing to do? Undoubtedly. Was it against all of the terms and conditions under which we grant marketing rights? Absolutely. Did it affect the integrity of the underlying research? Categorically <strong style="outline: none;">not</strong>.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Just to clarify. Check Point erased a couple of data points on the final graphic, and states this was due to an error made by an outside contractor in the rush to get things ready for RSA. However, it did <strong style="outline: none;">not</strong> alter the data. It did <strong style="outline: none;">not</strong>alter the position of its device, nor of any of the other devices alongside it. It did <strong style="outline: none;">not</strong> (indeed, it cannot) alter the<em style="outline: none;">Product Analysis Report (PAR)</em> nor any of the <em style="outline: none;">Comparative Analysis Reports (CARs)</em> that serve up the data that is used to generate the final SVM.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
While creativity and artistic interpretation are often very useful in the creation of a masterpiece of fiction, never forget that the original subject always remains unchanged by the ministrations of the artist :o)</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Follow me on Twitter (<a href="http://twitter.com/bwalder" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;" target="_blank">@bwalder</a>) to keep informed as new research is released or to gain insight into any new important works of fiction I may come across!</div>
Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-43862215697675113592013-02-28T17:39:00.000-06:002019-11-18T08:36:00.073-06:00Bending The Rules And The Truth<br />
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
It is very important to us at NSS to ensure that we are scrupulously fair and impartial when it comes to running our public group tests and presenting the results. We take great pains to ensure that the test data is accurate and is reflected correctly in the finished reports on our Web site - reports that go through countless levels of peer review before they are published.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/unicorn-rainbow.png" style="border: 0px; float: right; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
There are also some very strict guidelines all vendors must follows when reusing our reports and results in their own marketing efforts. For example, they are not allowed to alter our words, put words in our mouth, or change our graphics or the way we present results. And they are not allowed to say things like “<em style="outline: none;">NSS Labs says the AwesomeSauce 2000 is way better than the Craptastic 8 when it comes to blocking bad stuff in your network</em>,” or “<em style="outline: none;">NSS Labs Ranks The Balloonicorn 8180X3cV1.23 Build 33 Number 1 In The Entire Universe.</em>”</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Because, when all is said and done, we didn’t! Did we?</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Which is why it pains us greatly when vendors take liberties with our stuff. Like, say, reproducing the latest SVM graphic from our <a href="https://www.nsslabs.com/reports/next-generation-firewall-comparative-analysis-2013" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">NGFW report</a> and…. wait for it… removing the data points of its competitors. Surely no one would do that, would they?</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Well, just in case they did, here is what the graphic <strong style="outline: none;">should</strong> look like in all its unadulterated, unmodified glory. Just in case, you know, you should happen to come across another (unauthorized and unapproved!) version out there on the Interwebs.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
So here you go….</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/2013%20NGFW%20SVM_0.jpg" style="border: 0px; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Follow me on Twitter (<a href="http://twitter.com/bwalder" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;" target="_blank">@bwalder</a>) to keep informed as new research is released or to see pictures of errant marketing folks getting caught red-handed altering stuff they shouldn’t!</div>
Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-55745659939914390502012-12-05T17:38:00.000-06:002019-11-18T08:36:00.197-06:00Is the Skyfalling? James Bond, Miss Moneypenny and the Kill Chain<br />
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
When NSS analysts Stefan Frei <em style="outline: none;">(<a href="https://twitter.com/stefan_frei" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;" target="_blank">@stefan_frei</a></em>) and Frank Artes <em style="outline: none;">(<a href="https://twitter.com/franklyfranc" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;" target="_blank">@franklyfranc</a></em>) started talking to me about the <em style="outline: none;">kill chain</em>, my mind immediately drifted into the world of sharp tuxedos, Aston Martin DB5’s and Walther PPK’s.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Once they dragged me back to reality, however, they demonstrated something almost as cool; it didn’t even require two Ethernet cables plugged into my laptop (OK, so if you haven’t seen the movie that means absolutely nothing to you!)</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Basically, the kill chain refers to the route from an external attacker to a target, which leads to the compromise of a victim’s server or desktop machine, and looks something like this:</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="Cybercrime Kill Chain" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/Cybercrime%20Kill%20Chain.png" style="border: 0px; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle; width: 550px;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
The defender will try and break the kill chain at various points – at the network perimeter, in the core, or on the endpoint - to prevent the attack, or detect the breach should prevention fail.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
To prevent such attacks an enterprise can use firewalls, intrusion prevention systems (IPS), next generation firewalls (NGFW), endpoint protection systems (EPP), the Web browser’s built-in protection mechanisms, or any combination thereof.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
So far, so good. But as we have witnessed from test after test and report after report coming out of NSS’ testing facility in Austin, TX, vendor expansive claims regarding security effectiveness rarely hold up in real-world deployments. So enterprises resort to a strategy of “defense in depth”, installing multiple layers of security (e.g. firewall plus IPS plus EPP, or even multiple versions of one or more of those products for those with healthy security budgets.) The expectation behind this is that one device may block exploits missed by another, leading to the oft-used formula for <em style="outline: none;">protection failure rate</em>, PA x PB = PA<img alt="\circ \!\," src="http://upload.wikimedia.org/math/8/4/7/847fa281bb89dd86aa1feaed408f6a5c.png" style="border: 0px; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle;" />B.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Not so fast. It turns out that by feeding data from our most recent tests of different types of security products into Maltego<a href="https://www.nsslabs.com/blog/skyfalling-james-bond-miss-moneypenny-and-kill-chain#_ftn1" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">[1]</a> and applying some proprietary transforms created by NSS analysts, we can identify how, even with multiple security products in the “security stack”, certain groups of exploits or evasion techniques can bypass the entire defense system as if it wasn’t there.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Maltego is a program that can be used to determine the relationships and real world links between many things, and has been adapted by NSS researchers to show the relationship and correlation of unblocked exploits through a layered security stack of hardware and software tools. Utilizing the empirical data collected during NSS’ tests on NGFW, IPS, breach detection systems (BDS), endpoint security, browser security, and antivirus engines, paired with data on exploit availability of popular crimeware kits or penetration testing tools (e.g. Metasploit) we are able to model layered defense stacks and illustrate exploits that are able to evade detection by the entire stack. We can also simulate popular or customer-specific software portfolios, allowing mapping simulations specific to their infrastructure environment.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
In the image below (which was produced by our proprietary Maltego transforms) we can see three different types of security device (green dots) and the exploits that went undetected by each (blue dots.) The group in the middle identifies those exploits that successfully evade detection by all three technologies in this security stack.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="Modeled Defense Layers" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/Modeled%20layered%20defenses.png" style="border: 0px; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle; width: 550px;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
It is evident that our protection rate formula no longer holds true due to the correlation of exploits between the disparate layers of the security stack. </div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
We can also approach this from an offensive standpoint, drilling down into the data from another direction to identify the smallest group of exploits and/or evasion techniques that would be required to evade a specific security stack. During the test illustrated below, three exploits were discovered that are unindentified by seven of the ten tested vendors. These seven vendors represent over 90% of the market share of deployed IPS.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="Exploits that bypass IPS" src="https://www.nsslabs.com/sites/default/files/upload/blog-post/images/exploits%20bypass%20IPS.png" style="border: 0px; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle; width: 400px;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
The implications are staggering, and this is the subject of a presentation given by Stefan and Frank at BlackHat Abu Dhabi this week. This is groundbreaking stuff, and right up there amongst the most important research ever to come out of our team of analysts.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
It is already changing the way some NSS clients are viewing their approach to threat mitigation. Some clients are already providing us with custom data from their own environments to enable us to model the security stack and relevant kill chain for them and identify those areas that require immediate attention.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Let’s see James Bond do that!</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
<em style="outline: none;">This research is available in two analyst briefs: <a href="https://www.nsslabs.com/reports/cybercrime-kill-chain-vs-defense-effectiveness" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">Cybercrime Kill Chain vs. Defense Effectiveness</a>, and <a href="https://www.nsslabs.com/reports/modeling-evasions-layered-security" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">Modeling Exploit Evasions in Layered Security</a>. These briefs are available outside the NSS pay wall and can be downloaded by both subscribers and non-subscribers free of charge. NSS clients should arrange inquiry calls with analysts to discuss the research and investigate how it might be applied to their environment to help with risk mitigation. Follow me on Twitter<a href="http://twitter.com/bwalder" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;" target="_blank">(@bwalder</a>) to keep informed as new research is released.</em></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
<a href="https://www.nsslabs.com/blog/skyfalling-james-bond-miss-moneypenny-and-kill-chain#_ftnref1" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;"><em style="outline: none;"><strong style="outline: none;">[1]</strong></em></a><em style="outline: none;"> <a href="http://en.wikipedia.org/wiki/Maltego" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">http://en.wikipedia.org/wiki/Maltego</a></em></div>
Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-41119621245279477642012-06-21T13:59:00.000-05:002019-11-18T08:35:59.991-06:00Newer Is Not Always Better<br />
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
One of the great insights we have at NSS Labs, given the work that we do, is into the trends demonstrated by vendors in terms of performance and security effectiveness across multiple versions of a product.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none; text-align: center;">
<img alt="Newer is not always better" src="https://www.nsslabs.com/sites/default/files/import/assets/images/blog/broken-chain.jpg" style="border: 0px; float: right; height: auto; margin-bottom: 0px; max-width: 100%; outline: none; vertical-align: middle;" /></div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
For some reason, the area we see that is broken most often during a product refresh is anti-evasion measures. Protections that have been in place over several versions can suddenly disappear as a particular section of the code base is updated to include shiny new features. The other major hurdle for many vendors is the move from one hardware platform to another. This often requires major code revisions, if not a complete rewrite, and in this fast-moving industry it is rare that the folks who wrote the original code are still around. The result can be problems in performance and/or security effectiveness that did not exist in previous incarnations of the product.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
These deltas and trends across multiple versions allow our analysts to provide actionable advice to NSS subscribers on whether or not to upgrade to a new version of a product, or stay with an older version until problems are fixed (or until it is time to refresh completely and you can investigate other options.)</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
The response we get from a vendor when we find these issues tells us a lot about how they value their customers over their shareholders, or vice versa. Some are all over the problem and want to work closely with our engineers to discover the root cause of the issues so they can be fixed. Others respond with veiled threats copied to legal counsel, and some serious marketing spin. I would much prefer to see a vendor employ a couple of new developers and fix their problems rather than launch a PR offensive and budget for some legal fees. Either way, we never shy away from publishing the results.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
This is why it is important not to simply look at our test reports at purchase time, but also review new reports throughout the life of each security product you have deployed. This can help ensure that no costly mistakes are made in deploying product updates that could have potentially disastrous consequences to your business.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Dogs and children may be for life, but you are not committed to a security vendor in the same way. There is nothing to stop you from doing a forklift upgrade of a product from a vendor that has lost the plot in terms of quality control, and the cost of doing so could be far less than the cost of upgrading to a faulty product just because the vendor wants to EOL the one you have.</div>
<div style="background-color: #fdfdfd; color: #6f6f6f; font-family: 'Open Sans', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 13px; line-height: 19px; margin-bottom: 20px; outline: none;">
Follow me on Twitter <a href="http://twitter.com/bwalder" rel="nofollow" style="color: #00539f; outline: none; text-decoration: none;">(<strong style="outline: none;">@bwalder</strong></a>) to keep informed as new research is released.</div>
Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-9763235901740535822012-03-20T14:54:00.000-05:002019-11-18T08:36:00.569-06:00SonicWALL And Dell: What Are The Risks For Enterprise Customers?As you can’t have failed to notice by now, a hardware vendor bought a UTM vendor last week. Of what earthly interest could that be to enterprise security folk? As it happens, the Dell acquisition of SonicWALL is interesting for a couple of reasons. The first is the concern many SuperMassive customers might have regarding its future under a company not renowned for its enterprise security products; the second is the way Dell is setting its stall out to take on HP and Cisco in the enterprise.<br />
<br />
The SonicWALL acquisition strengthens Dell’s security offerings considerably for both enterprise and small to medium-sized business (SMB) customers. Although there are hurdles to be overcome, NSS Labs considers this a positive move for current and potential SonicWALL customers, particularly those considering deployment of the SuperMassive NGFW platform.<br />
<br />
This acquisition is actually more positive for SonicWALL, its partners and customers than a scenario where the company was purchased by a larger security vendor seeking a rapid entry into the unified threat management (UTM) or next generation firewall (NGFW) market. Dell is clearly seeking to build an enterprise class portfolio of servers, data storage, core networking, and security products that will allow it to compete with established enterprise vendors such as HP and Cisco.<br />
<br />
During the recent NSS Labs NGFW Group Test, one of the concerns of our analysts was in SonicWALL’s ability to execute in terms of SuperMassive support in the enterprise space. It is vital that the Dell acquisition accelerates the growth of the enterprise support group to ensure the success of SuperMassive going forward.<br />
<br />
One other area of potential concern is the lack of any mention of the Aventail SSL VPN product line. Customers and potential customers of the Aventail products should seek assurances from SonicWALL and Dell that their needs will be met to their satisfaction going forward.
This deal also underscores the importance of having security products in a complete enterprise-computing portfolio. For larger security or networking companies looking to acquire this kind of technology to flesh out a portfolio in this manner, the shopping list is getting shorter by the day, with the likes of Fortinet, Stonesoft and SourceFire standing out as potential acquisition targets.<br />
<br />
I have just completed an Analysis Brief that addresses this transaction in more depth and covers the potential risks and concerns to enterprise customers. This brief is available outside the NSS Labs pay wall and is available to both subscribers and non-subscribers free of charge. Follow me on Twitter (@bwalder) to keep informed as new research is released.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-67954030649659348682011-12-06T06:46:00.001-06:002019-11-18T08:36:00.321-06:00BailoutsIt is a slow day in a little Greek Village. The rain is beating down and the streets are deserted. Times are tough, everybody is in debt, and everybody lives on credit. <br /><br />On this particular day a rich German tourist is driving through the village, stops at the local hotel and lays a $100 note on the desk, telling the hotel owner he wants to inspect the rooms upstairs in order to pick one to spend the night. <br /><br />The owner gives him some keys and, as soon as the visitor has walked upstairs, the hotelier grabs the $100 note and runs next door to pay his debt to the butcher. <br /><br />The butcher takes the $100 note and runs down the street to repay his debt to the pig farmer. <br /><br />The pig farmer takes the $100 note and heads off to pay his bill at the supplier of feed and fuel. <br /><br />The guy at the Farmers' Co-op takes the $100 note and runs to pay his drinks bill at the taverna. <br /><br />The publican slips the money along to the local prostitute drinking at the bar, who has also been facing hard times and has had to offer him "services" on credit. <br /><br />The hooker then rushes to the hotel and pays off her room bill to the hotel owner with the $100 . <br /><br />The hotel proprietor then places the $100 note back on the counter so the rich traveller will not suspect anything. At that moment the traveller comes down the stairs, picks up the $100 note, states that the rooms are not satisfactory, pockets the money, and leaves town. <br /><br />No one produced anything. <br /><br />No one earned anything. <br /><br />However, the whole village is now out of debt and looking to the future with a lot more optimism. <br /><br />And that, Ladies and Gentlemen, is how the bailout package works ;o)<br /><br />(PS: Of course, the real problem facing Europe is that the rich German DOES indeed realize what is happening and doesn't want the Greeks to get off scot free and so is demanding his cut in the way of interest on the $100!)Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-6147416376474803082011-11-11T11:28:00.001-06:002019-11-18T08:36:00.280-06:00Dog For Sale<img src="http://lh5.ggpht.com/-GgkrKyGCZ6Q/Tr1aj9Lw2LI/AAAAAAAACFE/bsOE0njxx6k/image001.jpg?imgmax=800" alt="image001.jpg" border="0" width="500" height="375" align="right" />A guy is driving around the back woods of Montana and he sees a sign in front of a broken down shanty-style house: 'Talking Dog For Sale' He rings the bell and the owner appears and tells him the dog is in the backyard.<br /><br />The guy goes into the backyard and sees a nice looking Labrador retriever sitting there.<br /><br />'You talk?' he asks. <br />'Yep,' the Lab replies. <br /><br />After the guy recovers from the shock of hearing a dog talk, he says 'So, what's your story?'<br /><br />The Lab looks up and says, 'Well, I discovered that I could talk when I was pretty young. I wanted to help the government, so I told the CIA.<br /><br />In no time at all they had me jetting from country to country, sitting in rooms with spies and world leaders, because no one figured a dog would be eavesdropping.'<br /><br />'I was one of their most valuable spies for eight years running...<br /><br />But the jetting around really tired me out, and I knew I wasn't getting any younger so I decided to settle down. I signed up for a job at the airport to do some undercover security, wandering near suspicious characters and listening in. I uncovered some incredible dealings and was awarded a batch of medals.'<br /><br />'I got married, had a mess of puppies, and now I'm just retired.' <br /><br />The guy is amazed. He goes back in and asks the owner what he wants for the dog. <br /><br />'Ten dollars,' the guy says.<br /><br />'Ten dollars? This dog is amazing! Why on earth are you selling him so cheap?' <br /><br />'Because he's a liar. He's never been out of the yard'<br /><br /><img src="http://lh5.ggpht.com/-pXHLuf9lx54/Tr1a_a1aJqI/AAAAAAAACFM/gr__Vo4ilmc/image002.jpg?imgmax=800" alt="image002.jpg" border="0" width="420" height="315" align="left" />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-84575188782867903212011-10-21T08:13:00.001-05:002019-11-18T08:36:00.487-06:00Why iOS Data Protection is Adequate for Corporate Use (And Why The Siri “Vulnerability” is a Non-issue)First things first. The so-called Siri "vulnerability" that was widely reported this week is a dumb non-issue created by journalists seeking sensationalist headlines. A simple setting disables the ability to use Siri without unlocking the phone rendering the whole issue moot. What the sensationalists fail to take into account is that the iPhone is a consumer device. Most consumers don't even use a passcode. The obvious default setting for Siri in this case, as one of the attractive new USPs of the iPhone 4S, is to allow use even when the phone is locked - I don't think you can fault Apple for this.<br /><br />Now on the other hand, things need to change when these consumer devices are allowed in an enterprise. Exchange Active Sync (EAS) or Mobile Device Management (MDM) software should be used to apply minimum security policies, which should always include a complex passcode of more than 4 characters, auto wipe on multiple failed passcode attempts and, of course, disabling Siri without unlock (this latter capability would required MDM, since it is not available in EAS). There are many other security settings that should be addressed too, but the main one is the passcode. <br /><br />Once the passcode is enabled, Data Protection is turned on. Now, Data Protection is NOT full disk encryption, although encryption IS turned on globally. However, you should assume that it only encrypts data in applications that support the Data Protection APIs (this is an over simplification, but the details are too complex for a blog post and are the subject of an Analysis Brief that will be available shortly to NSS subscribers). <br /><br />Out of the box, that is the iOS Mail client, for example. Other commercial apps will support Data Protection too, though these are few and far between right now - GoodReader is one of the best known. Others include USB Disk Pro, mobilEcho and the Box.net iOS client. There are several more, but not enough of them given that these capabilities have been available since the pre-release of iOS4, and we are now on iOS5!!! This continues to be a sore point with me as many developers make a big deal out of pushing their apps as business-class, yet spend more time making nice UIs and not enough securing the data that they are supposed to be protecting. Bear in mind that these apps will typically be used to access corporate documents, in many cases storing locally on the device outside the control of corporate IT. That data needs to be encrypted.<br /><br />With apps that support Data Protection, you have an additional layer of encryption on the iOS device. If you have a passcode set on the iPhone and you turn on Data Protection in GoodReader, all of the docs stored in the GoodReader sandbox will be encrypted in the same way as data stored by the Mail app. You can even have some data in the clear and restrict encryption to certain files or folders. <br /><br />So far so good, but what about those “researchers” that have written about the fact that jailbreaking an iOS device or connecting one to Ubuntu will provide access to all data on that device? Yes, unfortunately it is possible to jailbreak an iOS device and completely bypass the passcode. There are other ways to bypass the passcode too (such as that issue with Ubuntu). Because of the way iOS implements the Data Protection capability, once the passcode is entered or bypassed, all of the data on the device that is not protected by Data Protection APIs specifically is unencrypted on the fly.<br /><br />Therefore, if someone jailbreaks my iPhone they will be able to access all of the documents stored in the ReaddleDocs or PDF Expert sandbox because the iPhone will decrypt on the fly as the data is accessed. However, if they try to access my Mail data or anything stored in the GoodReader sandbox, they will only see encrypted data. Same thing goes for items stored in the keychain. Anything stored in the clear will be accessible when a device is jailbroken. Anything written using Data Protection APIs will remain encrypted.<br /><br />Only by entering the passcode can that encrypted data become available. This is an important distinction that needs to be understood. Jailbreaking/bypassing the passcode DOES NOT BREAK iOS ENCRYPTION - it merely bypasses the basic protection on the device. Anything stored using Data Protection APIs WILL REMAIN ENCRYPTED EVEN FOLLOWING JAILBREAK.<br /><br />There is no way to brute force the passcode off-device since it is tied to the hardware. If you have auto-wipe turned on, too many attempts to brute force the key on-device will result in a wipe. One nasty problem is that you CAN do brute force attempts on-device without triggering auto-wipe by bypassing the UI APIs that ask for the passcode, so that is why security-conscious folk need to ensure they use a longer, complex, alphanumeric passcode that will resist brute force attempts.<br /><br />So there you have it. Could Apple’s encryption scheme be better? Yes, of course it could. There are some caveats, and I would have preferred it to be full-device encryption, or at least to have a central document storage area that is always encrypted by default. However, my opinion is that iOS devices are perfectly acceptable and secure enough for corporate use PROVIDING they have a sensible security policy applied, Data Protection is turned on, a complex passcode is used and any sensitive data is ONLY stored within apps that support Data Protection APIs. Corporate users should always ask iOS developers if their app supports Data Protection and avoid those that do not.<br /><br />The Sophos post and original Fraunhofer research, and any others spouting similar opinions, can be dismissed with a simple analogy, since they appear to assume Data Protection is not being used - if that is really the case, it is like leaving your keys in the ignition and locking the door, then complaining when someone smashes the window and drives off with your car!<br /><br />I am taking a significant number of inquiries from NSS client each week on this subject, proving that it remains confusing for many. I hope this helps a little. In addition, as I mentioned earlier, there are a couple of NSS Labs Analysis Briefs in the works covering iOS Data Protection and other security issues facing corporate users of consumer devices. These will be available to subscribers only. Follow me on Twitter (@bwalder) to keep informed as new research is released.<br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-88400754922814444932011-09-30T10:31:00.001-05:002019-11-18T08:36:00.528-06:00Testing Times for CISO'sPerformance and effectiveness claims from vendors of network security products can never be taken at face value. In a process crucial to making the right buying decisions, how do the CISO, CIO and other security professionals ensure that new in-line security products are tested thoroughly in an environment that replicates as closely as possible that found in his or her own network?<br /><br />Selecting security products is a complex process that carries significant risks if not executed correctly; poorly chosen products can fail to protect against serious threats, cause serious performance problems for enterprise networks and waste scarce financial resources. CISO’s, CIO’s and other security professionals need to develop and execute an enterprise-specific in-house testing plan before evaluating and purchasing security products.<br /><br />Failing to test security products before buying them means organizations run the risk of performance limitations, security failures and overspending. Weaknesses in security coverage can often remain undiscovered for long periods of time, leaving those organizations at risk of losing corporate assets or compliance status. Installing in-line security devices such as Firewalls, Intrusion Prevention Systems (IPS), and Secure Web Gateways can lead to a false sense of security unless vendor claims are verified. Critical servers often remain unpatched in the belief they are protected by an IPS, when claimed coverage is actually less effective than promised. In addition, fear of false positives can lead enterprises to run IPS devices in a less secure IDS mode, thereby forfeiting protective properties and increasing operating costs and risk. Selecting the wrong network security device can thus expose a company to serious threats from both inside and outside the network perimeter. <br /><br />Poor performance from an in-line device once placed in a live network can also have serious consequences as latency increases to unacceptable levels. High latency or frequent “fail closed” events can result in active devices being redeployed in a passive state or having blocking disabled, significantly reducing their effectiveness.<br /><br />Cost is an issue too. Without performing relevant tests in-house, organizations could be persuaded to overspend significantly, purchasing devices with performance and coverage levels that are not required.<br /><br />In-house testing can help alleviate many of these problems, and it is important for organizations to use testing procedures designed for their own threat environment to determine the best in-line network security products for their specific needs.<br /><br />NSS Labs has recently published an Analysis Brief covering key points CISO’s need to know about testing security products, entitled <a href="https://www.nsslabs.com/research/analysis-briefs/cisos-guide-to-the-importance-of-testing-security-devices.html">The CISO’s Guide to the Importance of Testing Security Devices</a> (subscription required). Follow me on Twitter (<a href="https://twitter.com/#!/bwalder">@bwalder</a>) to keep informed as new research is released.<br /><br /><br /><br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-55464441026157822192011-07-21T06:47:00.000-05:002019-11-18T08:36:00.156-06:00How Will You Manage iOS5 Devices in Your Corporate Network?I have taken a significant number of inquiries recently from NSS Labs’ enterprise clients to discuss the increase in the level of demand for employee-owned devices to be used on corporate networks. One of the disturbing trends is the number of CIOs admitting that end users are connecting those devices to the enterprise network with or without permission. Where security requirements and risk profiles permit, many organizations would be better advised to accommodate and control this behavior rather than attempt to prohibit it.
<br />
<br />In the past, it has been possible to enforce centralized control over mobile devices, and many companies standardized on single-vendor solutions such as the BlackBerry Enterprise Server (BES) from Research In Motion (RIM.) Users do not typically select Blackberry devices for personal use, however, and are bringing increasing pressure to bear on IT departments to permit access to corporate resources from a single device – their own.
<br />
<br />In many cases, employees will discover for themselves how to configure their personal mobile devices for corporate access, leaving IT departments with a dilemma – locate and prohibit unauthorized access, potentially limiting employee productivity in the process, or embrace the consumerization trend and find a way to manage and secure access via personal devices.
<br />
<br />IT departments need to exercise control over smartphone and tablet devices, whether company-owned or employee-owned. Employees are typically reluctant to cede control of their personal devices to IT. However, the added benefits of being able to access corporate resources such as email and file shares is frequently enough to persuade them to submit to some degree of centralized management.
<br />
<br />With the release of iOS version 4, iOS devices such as iPhone, iPod Touch and iPad can be more effectively deployed, managed and secured in enterprise environments providing sufficient care is taken over securing the data on these devices and enforcing suitable corporate security policies. iOS5 will allow us to take things a step further, particularly given its ability to enable mobile devices to exist without being connected to iTunes (previously a huge bugbear for many organizations worried about deploying consumer-grade software in an enterprise network.)
<br />
<br />One caveat here is that this move to a completely untethered, over the air (OTA) deployment scenario of the OS, updates, device activation, backup/restore, and even day-to-day synchronization may well introduce new attack vectors.
<br />
<br />Business customers also need to realize that Apple continues to consider itself primarily a consumer company. It retains no sizeable enterprise sales force, offers no specific enterprise-level support (forcing enterprise customers to rely on third parties), and refuses to communicate road map details outside of the company. Organizations need to consider these issues as part of their evaluations of iOS devices for enterprise applications. One glimmer of hope is that the recent introduction of Apple’s B2B App Store program permitting volume purchasing of apps (though not yet volume discounting!) may mark the beginning of an increasingly enterprise-friendly Apple. Well, we can hope!
<br />
<br />NSS Labs has recently published an Analysis Brief covering iOS management and security issues in more detail, entitled <a href="https://www.nsslabs.com/research/analysis-briefs/managing-ios5-devices-securely.html">Managing iOS Devices Securely in the Corporate Network</a> (subscription required).
<br />
<br />I also have an Analysis Brief in production right now for our subscribers that will address the Data Protection capabilities in iOS4 and iOS5, and how they should be used to protect sensitive corporate data. Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to keep informed as new research is released.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-79076465775557673132011-06-23T06:44:00.000-05:002019-11-18T08:36:00.446-06:00Can you have too much security?Where organizations rely on application-aware security policies for their network security devices, or rely on Data Loss Prevention (DLP) products to prevent leakage of sensitive corporate material outside the network perimeter, the use of encrypted traffic means that those devices are suddenly blinded to the content, rendering deep packet inspection to the application level impossible. Cybercriminals are aware of this, and often make use of encrypted channels for covert command and control communications for botnets, as well as data exfiltration from the corporate network.
<br />
<br />Given the risk that encrypted channels may be used by malicious entities for botnet command and control or data exfiltration mechanisms, enterprises are faced with an unpalatable choice – leave traffic in the clear or lose visibility into the encrypted data stream. Of course, there are solutions to the problem – there always are! – such as ensuring that network monitoring and security products can handle decryption, inspection and re-encryption of traffic on the fly.
<br />
<br />The only issue is, how much of your already straining-at-the-seams security budget can you allocate to add SSL inspection capabilities to your infrastructure?
<br />
<br />And while this may seem the obvious solution, on-the-fly SSL inspection can have a number of issues that need to be considered, not least of which privacy and performance. Vendor data sheets usually do not reflect accurately real-world impact on performance, forcing organizations to perform their own testing to ensure network security devices are fit for their intended purpose.
<br />
<br />NSS Labs has a group test report in the pipeline covering SSL inspection capabilities of network security devices, and in the mean time, we have published a useful piece of research on <a href="https://www.nsslabs.com/research/analysis-briefs/what-cios-need-to-know-about-ssl.html">What CIOs Need to Know About SSL and its Effect on Network Traffic Inspection Capabilities</a> (subscription required).
<br />
<br />Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to keep informed as new research is released.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-11934178701813841342011-06-09T06:41:00.000-05:002019-11-18T08:35:59.680-06:00Apple Gets Cozier With Enterprises With iOS5One of the most frequent questions I hear in inquiry calls with our enterprise clients at the moment is “how do we manage and secure iPads on our corporate network?”
<br />
<br />Not “tablets” (at least, not yet), but “iPads” specifically.
<br />
<br />Whereas the smartphone began the push for consumerization and “bring your own device” (BYOD) in the enterprise, the iPad has consolidated that move. The dynamic has changed because the iPad appeals equally to senior executives and mere mortals, and the IT department finds it much harder to push back when the CEO demands his corporate email on his new iPad. Secure board communications systems (BCS) are also something of a hot topic right now, and the iPad is making a significant impact in that market too, offering, as it does, an attractive alternative to lugging around giant paper-based folders of corporate documents.
<br />
<br />With the release of iOS4, Apple introduced a number of features that finally allowed IT departments to consider the iPhone and iPad as “enterprise ready.” Mobile Device Management (MDM) APIs and Data Protection capabilities provided the means for enterprises to manage and secure both the devices themselves and the data stored on them.
<br />
<br />Questions remain as how best to secure both device and data, and forthcoming research from NSS Labs on Data Protection and MDM will provide actionable advice to assist our enterprise clients in deploying these devices in corporate networks.
<br />
<br />iOS4 still fell short in a couple of key areas when it came to enterprise deployment, however. The lack of secure email support and reliance on iTunes – a consumer-grade software product - for critical processes such as device activation and backup were two major concerns.
<br />
<br />As expected, both of these will be addressed in the latest iOS5 release, though it remains to be seen how welcoming enterprise customers will be about certain aspects of Apple’s new baby. Having installed iOS5 on a few devices, I can say that it appears very solid so far for a beta product, though it is still missing some features that were promised in the WWDC keynote.
<br />
<br />S/MIME support addresses the secure email concern adequately, and it appears to work well. I tested using both standard commercial and self-signed certificates, and digital signing and encryption functions worked fine for sending and reading messages. Certificates are installed via configuration profiles using the iPhone Configuration Utility (IPCU), following which they need to be selected for signing, encryption or both on a per-mail account basis. This process will need to be streamlined in larger deployments by the use of third-party MDM solutions in order to scale. Grabbing certificates from messages sent to you to store in the address book is a simple, one-click process.
<br />
<br />The objection to iTunes has been addressed by the new “PC free” capabilities in iOS5. Apple explained at its developer conference that the aim was to add sufficient features on the device to remove the requirement for users to tether to their desktop. At the consumer end of things this includes features such as on-device photo editing, calendar creation and mailbox creation. For the enterprise, the killer blow comes with on-device activation and over the air (OTA) operating system updates, eliminating the requirement for iTunes in deploying iOS devices. Delta updates are also possible now, meaning that it will no longer be necessary to download the whole OS each time Apple issues a change. Backups will be achieved via the new iCloud service, and it remains to be seen how secure and acceptable this proves to be for enterprises (at this point in time I am unable to test all of the iCloud features.)
<br />
<br />So nothing earth shattering, but a steady evolution of the system to make it ever more acceptable to enterprise customers. Apple could, and should, have gone further, however.
<br />
<br />Multiple email signatures with per-account defaults is a feature to which users are accustomed on their desktop mail clients. This is still missing from iOS and, while not a major problem, is something I find irksome on a daily basis as a business user.
<br />
<br />More serious is the continued omission of support for the iOS Data Protection APIs by Apple’s own “business” apps – Pages, Keynote and Numbers. Apple announced Data Protection with a fanfare with the release of iOS4 and informed us that, although Mail was the only native app to support those APIs back then, others would quickly follow. That appears to be an empty promise, since I am not aware of any other apps in the Apple stable that support the encryption APIs today.
<br />
<br />This capability becomes even more important with the announcement of the multi-device synchronization capabilities of iCloud, which could easily see confidential documents created on a Mac desktop pushed out automatically and invisibly to iPhones and iPads, where they will rest unprotected.
<br />
<br />Finally, we still do not have the ability to prohibit the creation and use of the escrow keybag when synchronizing to iTunes. This would be a simple feature to implement, and would provide an additional layer of protection for those relying on Data Protection capabilities to protect their data on mobile iOS devices. One other option would be to force permanent “PC free” mode, prohibiting iTunes synchronization at all, though that would require apps to support iCloud natively for file transfer, and is not something we are likely to see in the immediate future.
<br />
<br />I have an Analysis Brief in production right now for our subscribers that will address the Data Protection capabilities in iOS4 and iOS5, and how they should be used to protect sensitive corporate data. Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to keep informed as new research is released.
<br />
<br />[UPDATE]: Some have reported issues with S/MIME in iOS5, and the beta implementation does certainly seem to be a little "quirky" at the moment. I found issues when using certificates issued by public CAs such as Verisign, which I circumvented by installing self-signed certificates that I created using OpenSSL. Naturally, this does not play well in the world outside your test environment, but if you are just looking to test functionality, I found that both sending and receiving signed and encrypted messages worked fine using this solution.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-31983019598182735422011-04-17T06:38:00.000-05:002019-11-18T08:35:59.908-06:00Curated App Stores, Security, And Why The Next Kindle Will Be An Android DeviceWe have been having some interesting discussions internally about the recent Android malware fiasco and how things need to be improved if Android ever wants to be taken seriously as an OS fit for use in an enterprise environment.
<br />
<br />There has been some serious rhetoric against Apple's "walled garden" approach in recent months but, like it or not from a philosophical standpoint, it certainly provides more protection for users than the Android Market. Some claim that the Apple approach stifles innovation. Pah! (Yes, I said "pah" - add to that a "pish and twaddle", if you will.) One needs look no further than the sheer number of apps to shoot holes in that argument. Granted far too many of them are designed to emulate the passing of gas - some of us might argue that more controls are required, not fewer!
<br />
<br />At the other end of the spectrum there are some truly excellent apps. Evernote, PDF Reader, TeamViewer, WebEx, GoToMeeting, Pages, Numbers, Keynote, QuickOffice, DocsToGo, SoundNote - these are all apps on which I rely daily. And for sheer awesomeness look no further than GarageBand and iMovie. No shortage of innovation and quality there then.
<br />
<br />And from the point of view of the user - particularly the non-computer savvy user - all of this just works. Couple of clicks to search for your app. One click to purchase, download and install. And - most important of all - Trojan-free once it arrives. Curated app stores are essential to the well-being of the ecosystem.
<br />
<br />Google needs to emulate that experience with its Market, though its very credo seems to suggest that will never happen. Yet without it the store will descend into anarchy, with users scared to purchase for fear of what new and terrible piece of malware they might be introducing to their phone or tablet.
<br />
<br />So along comes Amazon from nowhere, and in one fell swoop it might have beaten Google at its own game. Amazon has the position of trust. It has the customer review infrastructure in place. It already has our credit card details (who hasn't bought anything from Amazon?) And now it has an Android Appstore (TM) to go with it. Now all it has to do is make sure that the stuff it sells is safe.
<br />
<br />It has promised to do that, by applying both quality control and security vetting to the app review process. So why wouldn't you buy from there rather than the Google Android Market? Well, I would - I already have. But my Auntie Edna probably wouldn't. It is way more difficult than the Apple process, and right now requires a multi-step process just to get the Appstore app on your phone. It is not that difficult, but it is certainly a sub-optimal user experience compared with the "It Just Works" approach of Apple.
<br />
<br />So what needs to happen for the Amazon Appstore (TM) to succeed? Simple - it needs to arrive pre-installed on Android devices. Lots of them. And while I am sure Amazon is probably in discussions with a bunch of carriers to achieve that objective, what better way to make sure it happens than to ship it in huge numbers on Amazon's very own Android tablet - The Kindle IV?
<br />
<br />Give us that great Kindle experience with Android flexibility at a super-low price point, and you might just have your iPad-killer... I certainly haven't seen one among the devices announced so far.
<br />
<br />Don't forget to follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com1tag:blogger.com,1999:blog-12063587.post-29005240298174830872011-03-17T07:37:00.000-05:002019-11-18T08:35:59.867-06:00Secure Low-Cost Data Sharing and Collaboration With iPadCloud-based storage services offer a low-cost alternative to high-end enterprise-class collaboration tools. At the same time, a new class of intelligent mobile devices — smartphones and tablets, spearheaded by the iPad — is driving the need to share sensitive data while on the move. For many organizations, the basic requirement is the ability for a small group of users to share a set of documents related to a specific project.
<br />
<br />With business needs and the sudden availability of viable mobile platforms driving this initiative, IT departments are struggling to determine the security of the cloud and mobile platforms that compose this new infrastructure. Senior management's adoption of new and attractive devices, such as the iPad, makes it extremely difficult for IT departments to prohibit their use on corporate networks. Dropbox and iPad have become an irresistible combination.
<br />
<br />Given the availability and low cost of these low-end solutions, users are taking advantage of them in their own homegrown solutions, often regardless of corporate policy. Thus, it is imperative that IT departments address these low-end solutions quickly to restrict their use, or transition users to a more appropriate environment to ensure that those solutions are as secure as possible.
<br />
<br />I have a new Analysis Brief in the pipeline that examines the security issues surrounding the use of cloud-based data sharing and collaboration services to share sensitive corporate data with your iPad.
<br />
<br />Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-42246661771265058312011-02-23T06:35:00.000-06:002019-11-18T08:36:00.032-06:00Testing Times In SecurityI am speaking to more and more enterprise clients who are doing their own in-house testing of security devices. Some of them invest in large, dedicated test networks and knowledgeable personnel, others invest in a single rack of virtualization and load generation equipment. But for all of them, the aim is the same - reduce risk of compromise by throughly testing equipment against enterprise-specific criteria before purchase.
<br />
<br />Security vendors' marketing claims are often exaggerated, and frequently do not reflect real-world or enterprise-specific conditions. Performance of complex network security devices is difficult to determine accurately, yet failure to do so can result in significant negative impact on the network should the wrong device be selected or a chosen device configured incorrectly.
<br />
<br />Testing is not necessarily about proving that the most-capable, most-expensive product is the best choice. A well-designed testing plan may actually show that a lower level of performance is acceptable at certain points on the network, and this can reduce purchase and deployment costs. IT organizations that do not perform relevant tests in- house may introduce serious security and performance issues to their networks by purchasing underspecified devices, or may overspend significantly on higher levels of performance and coverage that are not required.
<br />
<br />Security effectiveness of complex security devices is often the most-difficult area to evaluate, because it requires expertise with attack traffic, and even live exploits. Evasion testing in particular seems to be a challenge for even the best-equipped enterprise test labs (hardly surprising, since it also appears to be something of a challenge for many of the security vendors out there!) For those with the requisite expertise in-house, however, a basic security effectiveness test bed can be created at a relatively low cost using virtualization technology and commonly available test tools. Virtual machines can be used to create an environment that is safe and repeatable, allowing security-conscious organizations to verify the often inflated vendor marketing claims.
<br />
<br />Although it requires little in the way of specialized expertise and test equipment, testing the user interface (UI) and device management capabilities is often overlooked when evaluating complex network security products.
<br />
<br />This is a mistake, however. A management system that does not meet organizational requirements reduces the effectiveness of a security solution. If a task is too difficult to perform, then it will be executed poorly or inconsistently, if at all. Operational costs can also be reduced drastically via well-designed centralized management systems.
<br />
<br />Those who take testing seriously also implement continuous testing programs, making them an integral part of the ongoing security maintenance regime. I have seen numerous instances in the past of a single poorly written signature crippling the performance of an IPS. Firmware updates can also break previously solid inspection processes — anti-evasion techniques appear to be particularly prone to disruption between firmware updates.
<br />
<br />Once initial deployment of your security device is complete, perform a full benchmark test to establish a baseline for your existing deployments. Every time a new firmware upgrade, signature pack update or change in security policy is applied — however minor it may seem — the device should be retested and the results compared against the baseline. In-place, ongoing penetration tests on the live network can also help to identify changes in security effectiveness following updates. This process of continuous monitoring makes it possible to monitor, identify and correct adverse impacts on performance or security effectiveness.
<br />
<br />We currently have a number of ANalysis Briefs in the pipeline covering performance testing, security effectiveness testing and managing security devices. Together these will provide you with plenty of background material gleaned from almost 20 years in the security testing industry, along with some actionable advice to help you avoid costly mistakes when selecting and implementing complex network security devices.
<br />
<br />Don't forget to follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-23849002245751330472010-12-17T06:33:00.000-06:002019-11-18T08:35:59.825-06:00How to Secure the Corporate Data on Your iPad or iPhoneA recent survey of CIOs showed that 85% had received requests for Apple iPhones, iPods or iPads to be used in the enterprise, and that almost 75% had found that end users were connecting those devices to the enterprise network with or without permission.
<br />
<br />This push towards using employee-owned devices from the bottom of the organization has been matched by the push to use iPads in particular from board-level executives, and IT security professionals are being squeezed in the middle, forced to support devices which were never designed for enterprise use and which offer unique challenges to secure, deploy and manage effectively.
<br />
<br />Given the popularity of the iPad among executives, it was important that Apple made significant improvements to make its devices more enterprise-friendly, and this it attempted to do with a raft of new features in iOS4. Alongside new management capabilities came improved data protection, making iOS4 devices far more secure and more straightforward to manage than their predecessors.
<br />
<br />However, there remains some confusion between "encryption" and "Data Protection," as used by Apple when referencing its latest security capabilities in iOS 4. Apple has created a framework for Data Protection that goes far beyond previous encryption capabilities and addresses many of the prevailing data security concerns. Encryption was introduced in iOS 3 and is "always on," but even when the device passcode is set it does not prevent files from being accessible in the clear under certain circumstances.
<br />
<br />Though additional file-level encryption is available under the new Data Protection capabilities in iOS 4, the default state of data on an iPhone or iPad is "always available" to preserve backward compatibility, and sensitive data stored on iOS devices remains unprotected in many cases.
<br />
<br />Of the Apple applications, only Mail supports full data encryption right now, and few third-party software developers have implemented the Data Protection APIs. Therefore, sensitive corporate data can be at risk if an iOS device is compromised.
<br />
<br />A brand new Analysis Brief is in the pipeline covering iOS5, asking how secure Apple's new Data Protection capabilities are, and providing actionable advice on securing corporate data on iOS4 devices.
<br />
<br />Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-5426669154943209292010-12-09T06:31:00.000-06:002019-11-18T08:36:00.115-06:00A Good Security Testing Plan Will Save Time and MoneyFew enterprises in today's environment of highly constrained IT and security resources can afford to waste time and budget on network security products that exceed — or do not match — their requirements. While it is tempting to forge ahead in evaluating the biggest and fastest, hardware-accelerated, nuclear-powered "Next Generation" security toys, a well-designed testing plan may demonstrate that a lower level of performance is acceptable at certain points on the network, and this can reduce purchase and deployment costs.
<br />
<br />An effective testing plan will enable the enterprise to select cost-effective security solutions that align with internal requirements for performance and system integration. The availability of advanced test tools enables a complete test lab to be created in a single rack of equipment, making it possible for almost any organization to perform in-house testing.
<br />
<br />When embarking on a testing project, it is also important to decide in advance the eventual use case for the products being tested — a device intended for a branch office environment is unlikely to perform well if tested as an enterprise core product, for example.
<br />
<br />In consulting independent test reports, be wary of those test houses that do not recognize the value of use-case testing. Look for those that either seek to certify a product against a particular use case, or that recommend one or more use cases based on the results of the test. A simple "pass/fail" result with no indication of a suitable use case renders a test worse than useless — even misleading.
<br />
<br />We have an ANalysis Brief in the pipeline that examines each of these issues in more depth and defines testing best practices that will save precious resources when evaluating complex security devices.
<br />
<br />Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-33761219022270104342010-12-06T06:29:00.000-06:002019-11-18T08:35:59.950-06:00Firesheep: Should CISOs Ban Employees From Using Unsecured Public Wireless Networks?The release of the Firesheep plug-in for the Firefox browser has made it trivial for even unskilled attackers to intercept and interfere with private data on unsecured public wireless networks.
<br />
<br />Since attackers can use the tool to send messages and make posts on behalf of the victim, organizations using social networks for marketing, support or brand enhancement may suffer serious consequences as a result.
<br />
<br />Chief information security officers (CISOs) need to make employees aware of the risks and provide them with the necessary tools to counter them, but should they be banning the use of unsecured wireless networks for any company-related communications?
<br />
<br />This note (for subscribers only), entitled <a href="https://www.nsslabs.com/research/analysis-briefs/what-cios-need-to-know-about-ssl.html">"What CIOs need to know about SSL and its effect on network traffic inspection capabilities"</a> answers that question and provides action plans for both employees and software developers to combat the threat of session hijacking, in addition to covering how IT departments can balance the need for enhanced security with the need to inspect encrypted traffic on the corporate network.
<br />
<br />Don't forget to follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research.
<br />
<br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-14724251261808906042010-10-29T06:14:00.000-05:002019-11-18T08:35:59.784-06:00Like Lambs To The Slaughter - What Is Firesheep?As with Advanced Evasion Techniques (AET), Firesheep has garnered significant publicity recently by rejuvenating interest in an old security problem via the creation of a slick new tool. Unlike AETs, however, the tool at the centre of this publicity storm has been released to the general public, for good or ill.
<br />
<br />HTTP session hijacking, or "Sidejacking" as it is sometimes called, is nothing new. Papers exist discussing the technique as far back as 2004. Several applications have also been written in the past (Ferret, Hamster, Cookie Monster and FBcontroller to name a few) to take advantage of the technique. However, Eric Butler, a Seattle-based freelance software developer, has rekindled interest in the issue via the release of a simple-to-use Firefox plugin called Firesheep.
<br />
<br />Either on its own on a Mac, or coupled with Winpcap (or Ettercap) on a PC, Firesheep can capture traffic on any unsecured wireless network to which you are connected and extract details from session cookies used by any of the web sites configured within the Firesheep application. These cookies are used by web applications such as Twitter or Facebook to register the fact that you have successfully authenticated to the host site. They do not contain your password details, but they do not need to. By using the cookie to piggyback on your unencrypted communication, the attacker running Firesheep can impersonate you and gain access to the application you are using.
<br />
<br />It couldn't be easier to use. The attacker just fires it up, turns on packet capture, and waits for the sidebar to populate with account details it has detected on the network. He clicks on your details, and <em>hey presto</em> - he sees on his screen exactly what that you see on yours. And he can interact directly with the host application. He could post status updates on Twitter or Facebook on your behalf, for example. OK, that might not be too serious for some, but for those whose job it is to represent the public face of a major corporation then the potential for mischief is significant.
<br />
<br />Should you stop using all public, unsecured wireless networks? Well, no. That would be overkill.
<br />
<br />At the end of the day, the real solution is for providers of web applications like Facebook and Twitter to use secure connections for all their operations. In the mean time, there are a number of precautions you could, and should, take, and these (and other key points) are the subject of a <a href="https://www.nsslabs.com/research/analysis-briefs/what-cios-need-to-know-about-ssl.html">research note</a> I have just completed (subscribers only).
<br />
<br />Don't forget to follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed of new research. Just don't do it from an unsecured wireless network - you never know who might be watching!
<br />
<br />
<br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-73815331420192669162010-10-27T06:11:00.000-05:002019-11-18T08:36:00.362-06:00AET UpdateStonesoft held a joint publicity exercise with ICSA Labs last night in the form of a live Q&A session via conference call.
<br />
<br />It was fairly embarrassing, given that there was a total of three questions (two from the same person which seemed to confuse evasion techniques with actual exploits), and the whole thing was wrapped up after 25 minutes with most of it being taken up by Stonesoft execs repeatedly denying that this was just a publicity stunt (and still no real details).
<br />
<br />So, why was it a bust? Lack of interest or lack of understanding?
<br />
<br />Well, given the confusion mentioned above, I suspect a lack of understanding, which is worrying. And one reason why I am inclined to forgive Stonesoft this blatant hijacking of the evasion issue, since if it continues to at least raise awareness and force other vendors to take it more seriously in their own testing, then it will have been <em>A Good Thing</em>.
<br />
<br />So let me clear up the confusion. Evasion techniques are <strong>not</strong>, in and of themselves, exploits. Any attacker would need a functioning exploit which is already proven to work against the target host. If the host is unpatched and the in-line defences (IPS/NGFW) have no appropriate signature, the exploit will be successful - game over. If the IPS/NGFW has a signature covering the exploit, then it will be blocked - score one for The Good Guys.
<br />
<br />This is where evasions come into play, however. Having noted that his exploit has been blocked, the attacker will then begin to use the <strong>same</strong> exploit coupled with one or more evasion techniques to disguise the exploit and render it invisible to the IPS/NGFW inspection engine. Chances are, right now, it will then work, since so many IPS engines fare so badly against even the most basic evasion techniques.
<br />
<br />Note that if the target host has been patched against the exploit, then no amount of evasion will help. This is the key differentiator here - evasion techniques are only good for "cloaking" and delivering an exploit unmolested past a NGFW or IPS. Once your host system is patched against a particular vulnerability, it is safe (until the next one is discovered!)
<br />
<br />Take a look at the most recent NSS Labs IPS Group Test Report to get some idea of which IPS products do well against evasions and which do not. Now this is where Stonesoft is to be commended. Because in trying to fix its own problems it went beyond those tools which are freely available to testers and wondered what would happen if it extended a few of the techniques and combined them. The result was the Predator tool and this latest slew of publicity.
<br />
<br />It bears repeating that the criticism levelled at Stonesoft to this point is due to a lack of originality, not lack of seriousness of the problem. In the conference call last night ICSA voiced a very significant qualification - that 9 of the 14 PCAPs Stonesoft provided them to validate the claims had <strong>not been seen before in tools which were freely available</strong>. In other words, Stonesoft has not invented or discovered a whole new type of evasion technique (as I have <a href="http://bobwalder.blogspot.com/2011/08/storm-in-teacup-more-on-advanced_9902.html">already pointed out</a>, I was personally using several of their so-called "new" evasion techniques in public testing over seven years go) - it has, instead, extended and combined existing known techniques to create a new set of problems for NGFW/IPS vendors to solve.
<br />
<br />In other words, we are no worse off now than we were before Stonesoft made its claims - but there is still a significant problem which needs addressing. <strong>And it is time the IPS industry woke up and addressed this issue</strong>. There are products on the market today which have had issues with evasion techniques since the day V1.0 was launched, despite being pulled up time and time again in independent tests.
<br />
<br />Which vendors are you considering for your next NGFW/IPS product? Ask them about evasions. Ask them about the Stonesoft AETs. And then make them PROVE they have an answer. In your <strong>own</strong> network, under <strong>your</strong> control. Or in an independent test lab under the control of a trusted third party. But <strong>NOT</strong> in their own labs.
<br />
<br />Because the thing is, some vendors don't seem to understand the problem any more than the public at large. If they did, I wouldn't have had to fail the same products, year after year, for the same problem when I was testing these things myself.
<br />
<br />As I mentioned previously, I have a research note in the works covering evasion techniques and how they can (and can't) be used against your perimeter defences. Given the level of interest in this subject, I might try to push up the delivery date.
<br />
<br />Follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to be kept informed.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-13884159353420771032010-10-20T06:07:00.000-05:002019-11-18T08:35:59.743-06:00Storm In A Teacup? More on Advanced Evasion Techniques (AET)Following my recent post on the Advanced Evasion Techniques (AET) "discovered" by Stonesoft, I thought I would update you with a few discoveries of my own.
<br />
<br />After further investigation it would appear that there is not really that much that is actually new here. Don't get me wrong, there is certainly a threat here, and if there is one good thing that comes out of this it is that a few vendors might start taking evasion testing more seriously than they have in the past.
<br />
<br />It appears that Stonesoft went through an independent testing process at the end of last year, failed several of the evasion tests, and started to do some research in order to improve their product. In developing their own tool to help them test, they started "fuzzing" the evasion techniques - an automated process which tries millions of random evasions, both in isolation and in various combinations, in order to find those which work. Bear in mind that it is possible to "evade" a typical TCP/IP stack too, so for an evasion test to be valid, it should allow a previously-detected exploit to bypass and IPS/IDS undetected whilst remaining capable of being reassembled by the target vulnerable host.
<br />
<br />What they came up with was a number of new "discoveries", which under closer scrutiny appear to be techniques which have been well known for many years in the testing industry. In particular, they are laying claim to the discovery that layering multiple evasions - particularly evasions from different layers of the protocol stack - can succeed where single evasions will not. Well I know for a fact that this technique - along with around 90% of the others which they are claiming are new, have been in use for 7 years or more in the testing industry. How do I know this? Because I was the one doing it!
<br />
<br />As founder and CEO of NSS Labs, I pioneered a range of IPS/IDS/Firewall testing techniques which are still in use today. In particular, I devoted a significant amount of time to the study of evasion techniques and was using many of the "new" Stonesoft AETs - including the all-powerful layering - way back in the naughties. I had to use my own tools back then, developed in-house. That certainly made it a challenge to layer MSRPC fragmentation with TCP segmentation and IP fragmentation in the same attack, but it was doable. And I did it. What IS new from Stonesoft is the fancy Predator tool, which they are not releasing to anyone (sensibly). It is a GUI-driven "One Stop Evasion Shop" and looks a lot nicer than the multiple command line tools I developed....
<br />
<br />In addition, one of the "evasions" they have discovered seems to be less of an evasion and more of an exploitation of a particular bug which can be found in some IPS products. Again, part of a data leakage test which I was running against these products some years ago. I am surprised that it is still causing problems for some vendors... but there you go!
<br />
<br />There is nothing new under the sun. What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques. Kudos to them for taking this so seriously - it should do wonders for the security of their IPS and firewall products. Hopefully it will also force other vendors to follow suit and take this more seriously. You, the customer, deserve that at least. There are far too many IPS/IDS products which are still today failing to protect against even the most basic of these techniques (as seen in recent independent tests), let alone the more complex variations Stonesoft is publicising. Signatures are just not enough!
<br />
<br />But don't fall for the FUD here... nothing has changed. AETs are not the WMD that will bring our perimeter security to its knees. Yes, they are a serious problem, but no more serious than before Stonesoft launched its publicity drive. Except, of course, that the bad guys are watching too...
<br />
<br />Don't forget to follow me on Twitter (<a href="http://twitter.com/bwalder">@bwalder</a>) to keep up with my blog entries, research notes and random thoughts on wine, coffee, Labradors, golf, life in France and.... oh yes.... security.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-41135706567541982152010-10-17T06:05:00.000-05:002019-11-18T08:36:16.852-06:00Discovery of Advanced Evasion Techniques (AET) Could Cause Headaches For IPS/NGFW VendorsThe Finnish security company Stonesoft said today it had found new techniques that bypass current security systems and which cyber-criminals could use to gain access to internal protected assets of many companies. Stonesoft said that as a result of the advanced evasion techniques (AETs) "companies may suffer a significant data breach including the loss of confidential corporate information."
<br />
<br />Is this another round of hype or is there a genuine threat here?
<br />
<br />Well, the bad news is that AETs do appear to exist. However, they are an extension of an existing threat category rather than a new one.
<br />
<br />The problem is that a lot of in-line security devices - IPS in particular - don't do that good a job of coping with the basic stuff that is already out there, so this stuff is just going to make things worse!
<br />
<br />Why is this a threat? Let's imagine you have something like Stuxnet which is proven to be effective at spreading itself around via remote exploits (amongst other techniques). Hopefully users will patch their systems, but in the mean time, they deploy sigs on their IPS, thinking that gives them additional time to test and roll out patches. It would be a trivial matter to alter Stuxnet to incorporate these evasion techniques, thus prolonging its life (don't forget - many users won't bother patching at all, and many more will delay - we know this is true from experience).
<br />
<br />Or, another scenario: I am a cyber criminal with a new exploit for which I paid $5000 and which guarantees 100% ownership of a particular system. This I have tested and verified. So I run it against a public-facing target and find it is ineffective. I can be pretty sure this is as a result of in-line defenses. Do I throw out my $5k investment and move on? Not on your life. I deploy some simple evasion techniques and breeze on through.
<br />
<br />For casual hacking by non-tech morons using toolkits and pre-packaged attack tools, evasion techniques are not widely used (though a number of the more advanced/expensive "blackware" tools <strong>do</strong> include evasion techniques). For those involved in targeted attacks, however, they are in common usage.
<br />
<br />Right now Stonesoft has not released any of these tools (thank goodness!) Nor, I have to say, has it been particularly forthcoming in releasing any technical details. It claims that the AETs have been verified as real by independent test labs, but I have yet to see any evidence that this is true beyond a couple of vague quotes and sound bites. This has all the hallmarks of a carefully stage-managed publicity stunt about it.
<br />
<br />That does not mean the threat is not real - I have seen the techniques in action and I am convinced they have the potential to cause significant mischief. There is a big difference, however, between watching a carefully managed demo by Stonesoft personnel over a secure link to getting one's hands dirty by testing hands-on. Right now it is possible that the majority of what is deemed "new" could be little more than layering older techniques on top of one another (something I was doing a decade ago to test IDS products). That doesn't make them any less effective, of course, it just means that this particular announcement is more about marketing than security. Once I see some hands-on verification by a trusted third party I will be happier.
<br />
<br />I am also convinced that Stonesoft is not the only one to have discovered these flaws. My guess is that this is also just the tip of the proverbial iceberg. If I was making a living out of targeted attacks and cyber crime I would have been keeping these under my hat for a while now - I bet those shady folks are not happy that they are finally out in the open.
<br />
<br />Even with the range of evasion tools and techniques currently freely available, however, security vendors have proven themselves incapable of handling even some of the most basic of those techniques. There are products on sale right now that I tested over 5 years ago and which still to this day cannot handle these issues. It is hard to do good TCP stream (and even IP packet) reassembly at high speeds - one major IPS vendor, for example, ships its IPS with all anti-evasion protection turned off by default because it is such a performance hog! It is not too much of a stretch to say that you might as well not bother deploying the thing at all if you are not going to switch them on!
<br />
<br />If there is one takeaway from this round of publicity it is that you should make sure that the IDS/IPS/NGFW product you are about to buy or have already installed is resistant to these kinds of evasion techniques - and don't just take the vendor's word for it!
<br />
<br />I have a research note in the works covering evasion. Follow me on Twitter (<a href="http://www.twitter.com/bwalder">@bwalder</a>) to keep up with announcements of research note releases.
<br />
<br />One final point - this stuff is applicable to IDS and in-line protection only (i.e. IPS/NGFW) and does not help bypass good anti-malware scanning or EPP. Defense in depth, folks... defense in depth...
<br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-88403952589194753322010-08-20T06:02:00.000-05:002019-11-18T08:36:17.107-06:00Intel + McAfee: Game Changer or Disaster Waiting to Happen?While an acquisition of McAfee was hardly a shock (it has been on the cards for some time) the acquirer did come as something of a surprise. I am sure we can all think of at least one - if not more - suitors who would have been a better fit for McAfee. Mind you, what does McAfee care? Payday is payday...
<br />
<br />Intel obviously wants to improve the security posture of its products and can gain some good R&D from McAfee to help with this. However there appears to be very little synergy between the two companies. They have different customers, different routes to market, different cultures. Intel development cycles are measured in years, whilst McAfee needs to be able to react quickly. There are no channel benefits, no new market opportunities, and not a whole lot of revenue enhancement. And to cap it all, Intel has never really demonstrated that it actually <em>understands</em> the software business. Or the security business for that matter - look what happened to LANDesk and Shiva.
<br />
<br />The biggest area of speculation is over whether it is feasible for Intel to build in EPP-type protection into its silicon, since this would provide the most exciting outcome from this merger (though one in which the anti-trust folks would doubtless take a long hard look). How feasible it is to embed security at such a low level – given that silicon is relatively fixed and security products need to be able to change on almost a daily basis – remains to be seen. Low-level capabilities with APIs and firmware hooks are probably the way to go here, though other security vendors will presumably be able to exploit those as well (if not, the lawyers will have a field day).
<br />
<br />Clearly given the recent acquisition of Wind River Intel also has its eye on the embedded/mobile market - which is going to be huge(r) - and the McAfee acquisition could dovetail quite nicely with this, as well as giving a boost to Intel's vPro platform. But if this is all Intel wanted, it could have paid a lot less for a smaller company with better technology and less baggage - but that company would not have had the McAfee brand name, of course, which will be important as Intel chases a diverse range of customers for its new security technology!
<br />
<br />And there is always the little niggle that in the mobile world, vendors such as Apple, RIM and Microsoft have control of the platform - and therefore the security - not the chip makers. Additional layers of security can't harm, but it is unclear whether they are as necessary as in the PC world. To date, users have been unable and/or unwilling to pay for additional security software on smartphones (Apple, for example, will not permit the use of key system calls required by antimalware vendors under the terms of its SDK).
<br />
<br />While there is undoubtedly some intellectual property and R&D at McAfee that will be able to help Intel in its goal of offering more security features in its chipsets and related software utilities, it is unclear why it felt it needed to own McAfee to deliver this. It was already benefitting from an established partnership, and given that Intel clearly paid full value then it is obvious that it REALLY wanted this to happen – perhaps it is a defensive move to prevent others getting their hands on a key partner? Either way, almost $8 billion is a lot to pay for McAfee.
<br />
<br />The first fruits of this union are slated to be delivered some time in 2011, apparently based around exposing limited security capabilities built into existing Intel chips. Integrating EPP-type security into silicon, if feasible, will take much longer.
<br />
<br />One area which worries me is that I do not see where the network infrastructure security product line fits into Intel’s plans. I am hoping that IntruShield, one of the market-leading NIPS products, is not left to languish in the bowels of Intel and die a slow and painful death (McAfee assures me it won't since, it (McAfee) will continue to operate as a separate business unit). Intel could tinker with IntruShield, of course, by swapping out the network processing hardware for their own (if it is not already in there!) and replacing custom silicon (ASICs/FPGAs) with generic Intel processors. This could revitalize the IntruShield product line or it could finish it off altogether. If they have no clear strategy (and if they have, then why put McAfee in the Software & Services division?) it would be better if they spun it off into a separate company or sold the technology to an interested third party.
<br />
<br />Bottom line: while in the long term this acquisition may benefit Intel in its fight with ARM for the embedded processor market and even AMD in the PC market, it is fraught with potential pitfalls for McAfee’s existing customers if the company gets distracted in a very competitive market.
<br />
<br />New McAfee enterprise clients and existing ones coming to the end of a refresh cycle will be looking long and hard at how focused they think McAfee will be on their business in the next 12 months. The fact that this comes hot on the heels of the recent flawed security update which crippled thousands of corporate PCs will not help matters. Symantec, Sophos and Trend Micro (amongst others) must be rubbing their collective hands in glee right about now.
<br />
<br />But perhaps the bigger questions are: will other chip manufacturers feel they have to follow suit to keep up with Intel? Or is Intel about to go on a security shopping spree? And which security vendor will be the next to be snapped up?
<br />Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0tag:blogger.com,1999:blog-12063587.post-59426981335466891182010-07-09T06:00:00.000-05:002019-11-18T08:36:16.895-06:00Who Pays For Testing You Can Trust?This is a question often overlooked both by those who scream "<em>bias</em>" and those who cry "<em>but I want all my information for free!</em>"
<br />
<br />The point is, should you stop and think about it for more than a minute, there is no such thing as a free lunch - or a free independent test report. Someone, somewhere, has to pay for it. And at the end of the day, the test lab has to make a living, and there are only three ways it can do that:
<br />
<br /><em>1. Free testing, free reports, money comes from advertising
<br />
<br />2. Money comes from participating vendors - reports are made available for free
<br />
<br />3. Testing is free to vendors, end-users have to pay for reports</em>
<br />
<br />That's it. Those are your choices. And in all honesty, there is no difference between options 1 and 2, except that advertising revenue is hard to come by and the tests are never likely to be as thorough as you would like. Option 1 is the magazine model, and we can ignore it when discussing independent test labs.
<br />
<br />So the proper labs are left with two choices - vendor pays or end-user pays.
<br />
<br />First question is, does the fact that the vendor pays for the test devalue that test in any way? The answer is, "<em>it depends on the integrity of the lab</em>". If the lab prepares a solid, vendor-agnostic test methodology and sticks to it and reports all results, warts and all, for all vendors in the same way, then the model works just fine. Where the vendor (or in some cases, a consortium of vendors, even when watered down with tame test labs) gets to define the test methodology, or veto test methodologies it does not like, then there is something rotten in the state of Denmark. Avoid reports that come out of such a process.
<br />
<br />You can usually sniff out the best methodologies - look for the ones that are open, thorough, published, clearly vendor-agnostic and which result in tests which are repeated time after time in the same way. Avoid "methodologies" which are aiming for the lowest common denominator, or which are "one-offs", clearly specified by a single vendor to show their product in the best light. How can you spot those? Simple - they are indeed one-offs, and you will never see that test methodology used to test another product. Labs should have a different test methodology for each <strong>product category</strong> - watch out for the ones which have a different methodology for each <strong>vendor</strong>!
<br />
<br />I speak from experience here, having spent almost 20 years in the testing and certification business before joining Gartner. Now personally, I never used to accept single-vendor sponsored reports. Not because I wasn't confident I could still do the same rigorous, independent test, but because of the perception. If the vendor concerned doesn't like the report, he gets to squash it - that's his right as the commissioning entity. But if he does well in the test, then he will be more than happy to publish the results. Unfortunately, no matter how scrupulous the tester and the testing process, anyone who doesn't like what the report has to say (other vendors, or end users who purchased competing products and don't like that their choice was not validated publicly) will cry - usually loudly and publicly - "<em>well of course they were bound to win - they paid for it!</em>" Very unfair on all concerned, but almost inevitable.
<br />
<br />Group tests usually work better, since even when the vendors are paying, it is obvious that they are a) all paying the same, and b) they are all being tested and reported under the same methodology. Unfortunately, the vendors still usually get the option to squash reports which can have the unwanted side-effect of a group test of 12 vendors resulting in a finished report containing only 2! In addition, vendors can hide behind budgetary issues as an excuse for non-participation.
<br />
<br />This brings us to option number 3. This is a huge gamble for the test lab, which can spend months testing products only to find that sales do not cover costs. But the advantages are clear. They can dictate who is tested and can include vendors who would prefer not to participate because of technical issues. This approach is fine as long as the vendors are given the option to provide technical support and ensure their product is correctly configured.
<br />
<br />As with the paid group test, everyone is treated equally and the results are reported warts and all. This time, the vendors don't get the option to pull out of the test if they do badly, of course, and this can result in some nasty repercussions for the lab. Vendors who do badly will go on a massive PR damage limitation offensive which will include some very public denouncements of the process and findings. Sometimes these attacks are not so public, aimed at existing customers via private communications, making it almost impossible for the lab to defend itself against unfounded allegations.
<br />
<br />The end result, however, is a report which is much more valuable to the end user and potential purchaser of the products under test. The down side, of course, is that now it has to be paid for! C'est la vie. You can't have your cake and eat it too!
<br />
<br />The vendors, too, must learn that they cannot have it both ways. If they do not want to pay for testing up front, then when the lab finds problems with their product what can they expect for free? Certainly the lab should tell them what they found and why the product did poorly. But how much information are they obligated to provide? Surely that is the extent of it? Should they be expected to act as an unpaid QA facility for vendors? Or should they - should we all - expect that these products do what the vendors claim, and if they don't they need to be fixed at the vendor's expense?
<br />
<br />The vendor is always at liberty to go away and invest in research and technical staff to reproduce the bugs or problems found. Or it can choose to pay for consultancy to expedite that process. I keep seeing vendors complaining in public forums about how they did poorly in tests and the test lab won't provide them with all of their test material to reproduce the tests.
<br />
<br />Well why should they? Shouldn't that be considered their intellectual property? Should they not be recompensed for helping vendors fix these glaring errors? How do you as end users feel about vendors which will not invest in their own QA process but expect external entities to do it for free?
<br />
<br />Who amongst us here is willing to work for free? It is not a widely accepted concept - don't apply it to others unless you are prepared to do it yourself.Bob Walderhttp://www.blogger.com/profile/15450051597019974804noreply@blogger.com0